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Good afternoon Chairman Graham, Ranking Member Whitehouse, and distinguished 
Members of the Subeommittee. Thank you for the opportunity to testify on behalf of the 
Department of Justiee regarding our efforts to combat cyber threats. 

The Attorney General identified this issue as a priority when he created a Cyber-Digital 
Task Force within the Department earlier this year. I have the privilege of chairing this Task 
Force, and as you know, last month the Task Force issued a public report that provides a 
comprehensive assessment of the cyber-enabled threats confronting our Nation. The Department 
appreciates the Subcommittee’s interest in making sure that the Department has the tools it needs 
to disrupt and deter cyber actors who seek to do our Nation harm. 

As I describe below, the Department’s principal role in responding to cyber threats is the 
investigation and prosecution of federal crimes, but our investigations can yield more than 
criminal charges. The Department is committed to using all of the tools at our disposal, 
including civil injunctions, information sharing, and technical operations, to counter malicious 
cyber activity, as well as to support our federal partners’ tools, like economic sanctions, 
diplomatic pressure, intelligence operations, and military action. Successfully protecting the 
Nation from cyberattacks also requires robust information sharing with the private sector, which 
is why we work with other departments and agencies to share cybersecurity information beyond 
the federal government. 

I will cover three areas in my testimony today. First, I will describe the seriousness of the 
cyber threats to our critical infrastructure, which includes our election systems. Second, I will 
discuss how the Department of Justice is responding to those threats, as described in our recent 
Task Force report. Finally, I will address some of the ways in which Congress can promote the 
Department’s mission to combat cyber threats, including those aimed at the Nation’s critical 
infrastructure. 



I, Cyber Threats to U,S, Critical Infrastructure 

Cyber threats to eritieal infrastructure deserve particular attention, because our Nation’s 
critical infrastructure provides the essential services that underpin American society and serves as 
the backbone of our economy, security, and health systems. Critical infrastructure includes the 
financial services sector, the electrical grid, dams, electoral systems, and over a dozen other 
sectors of society. Those assets, systems, and networks are considered so vital to the United 
States that their incapacitation or destruction would have a debilitating effect on our national 
security, national economic security, or our national public health or safety — or any 
combination thereof' Our adversaries seek to identify and exploit vulnerabilities in the 
sophisticated computer networks that these sectors employ. 

It is important to note that private entities own and operate the vast majority of the 
Nation’s critical infrastructure. Therefore, securing U.S. critical infrastructure is a shared 
responsibility. The Department recognizes that the private sector requires timely cyber threat 
information to secure its systems. Accordingly, the Federal Bureau of Investigation (“FBI”) 
makes threat information available to affected sectors through briefings and widely distributed 
technical alerts developed jointly with the Department of Homeland Security (“DHS”). In March 
2018, for example, the FBI and DHS announced that Russian government cyber actors had 
“targeted government entities and multiple U.S. critical infrastructure sectors, including the 
energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”^ The 
technical alert described a multistage Russian intrusion campaign that compromised small 
commercial facilities’ networks. Russian cyber actors used the networks to stage malware and to 
conduct spear-phishing attacks, which allowed the Russians to gain remote access into energy 
sector networks. The Russian cyber actors then explored those networks and moved across the 
networks to collect information pertaining to Industrial Control Systems. To respond to this 
nefarious cyber activity, information uncovered as part of this investigation led, at least in part, to 
economic sanctions against Russia when the Treasury Department announced sanctions against 
five Russian entities and nineteen Russian individuals on March 15, 2018.^ 


'42U.S.C. § 5195c(e). 

^Alert TA18-074A, “Russian Government Cyber Activity Targeting Energy and Other Critical 
Infrastructure,” U.S. COMPUTER Emergency Readiness Team, U.S. Dept, of Homeland Security (March 15, 
2018), available at: https://'www.us-cert.gov/ncas/alerts/TA18-074A (last accessed August 7, 2018). For information 
regarding more recent Russian cyber threats, see, e.g., Press Release, “Justice Department Announces Actions to 
Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices,” U.S. Dept, of 
Justice (May 23, 2018), available at: 

https://www.iustice.gov/opa/pr/iustice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet- 

infected (last accessed August 7, 2018). 

^Press Release, “Treasury Sanctions Russian Cyber Actors for Interference with the 2016 U.S. Elections 
and Malicious Cyber-Attacks,” U.S. Dept, of Treasury (March 15, 2018), available at: 
https://home.treasurv.gov/index.php/news/press-releases/sm0312 (last accessed August 7, 2018). 
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Cyber operations could also target our election systems. For example, adversaries could 
use cyber-enabled means to target voter registration databases and voting machines. In fact, the 
Intelligence Community assessed in 2017 that Russian intelligence “accessed elements of 
multiple state or local electoral boards” during the 2016 U.S. presidential election."^ DHS has 
assessed that the types of systems the Russian cyber actors targeted or compromised were not 
involved in vote tallying,^ and to our knowledge, no foreign government has succeeded in 
perpetrating ballot fraud. Nonetheless, the risk is real. Securing these systems and ensuring the 
integrity of our elections is one of our utmost priorities. 

Russia is not the only state sponsor of malicious cyber activity. To take one prominent 
publicly available example, we know that the Iranian government has targeted our critical 
infrastructure, specifically our financial sector, with cyberattacks. In response, in March 2016, a 
federal grand jury indicted seven Iranian hackers belonging to two companies that worked for 
Iran’s Islamic Revolutionary Guard Corps for their role in Distributed Denial of Service 
(“DDoS”) attacks targeting the public-facing websites of nearly fifty U.S. banks. These DDoS 
attacks against the U.S. financial sector began in approximately December 2011, and occurred 
sporadically until September 2012, at which point they escalated in frequency to a near-weekly 
basis. At their peak, the attacks disrupted hundreds of thousands of customers’ ability to access 
their accounts online and conduct transactions, and the affected banks’ remediation costs ran into 
the tens of millions of dollars. Furthermore, one of the hackers also repeatedly gained access to 
the Supervisory Control and Data Acquisition (“SCADA”) system of a dam in New York, 
allowing him to obtain information regarding the dam’s status and operation.^ 

To take another example — this one involving North Korea — in May 2018, the FBI and 
DHS issued a technical alert notifying the public about the FBI’s high confidence that malicious 
North Korean government cyber actors have been using malware since at least 2009 “to target 
multiple victims globally and in the United States,” across various sectors — including critical 
infrastructure sectors.^ 

These examples highlight the varied nature of the cyber threats to our Nation’s critical 
infrastructure. Preventing and responding to cyber intrusions and attacks requires a strong 
defense using a coordinated government approach, with the support of the private sector. The 
Department of Justice plays an important role in this combined effort. 


"^Office of the Director of National Intelligence, Background to “Assessing Russian Activities and Intentions 
in Recent U.S. Elections”: The Analytic Process and Cyber Incident Attribution 2 (Jan. 2017) (“ODNI Report”), 
available at: https://www.dni.gov/files/documents/ICA 2017 01.pdf (last accessed August 7, 2018). 

Hd. 

^See Indictment in United States v. Ahmad Fathi, et al., No. 16-CRM-48 (S.D.N.Y., March 24, 2016), 
available at: https://www.iustice.gov/opa/fle/834996/download (last accessed August 7, 2018). 

’Alert TA18-149A, “HIDDEN COBRA - Joanap Backdoor Trojan and Brambul Server Message Block 
Worm,” U.S. COMPUTER Emergency Readiness Team, U.S. Dept, of Homeland Security (last revised May 31, 
2018), available at: https://www.us-cert.gov/ncas/alerts/TA18-149A (last accessed August 7, 2018). 
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II, The Department of Justice’s Role in Combating Cyber Threats 

The Department of Justiee’s eore mission is to investigate and proseeute federal erimes, 
ineluding eomputer intrusions and attacks, whether perpetrated by a transnational criminal group, 
a lone hacker, or an officer of a foreign military or intelligence service. Our primary role is to 
investigate those incidents, determine who was responsible, prosecute them where the evidence 
supports it, and share intelligence we gather in connection with our investigations. We work 
closely with our partners across the Government and around the world to arrest such actors, 
extradite them, prosecute them, and obtain restitution for victims whenever possible. Further, 
through our Office of Justice Programs, we also support training law enforcement, prosecutors, 
and public safety officers in cyber-related crimes, both through online and classroom training. 
This training assists in identifying cyber crimes and infrastructure intrusions, in preparation for 
either possible State or federal prosecution. 

These partnerships across the Government are important. To take election infrastructure 
as an example, other Departments, like DHS, are primarily responsible for designing security 
standards, helping protect private and government networks, and assisting victims in their 
recovery from cyberattacks. By contrast, we are responsible for investigating intrusions and 
attacks, figuring out who perpetrated them, and bringing those malicious actors to justice. Based 
on our cyber investigations, we also share cybersecurity threat information to help victims protect 
themselves. 

As I mentioned at the outset, the Attorney General has prioritized the Department’s 
efforts to combat cyber-enabled threats. The report that the Attorney General’s Cyber-Digital 
Task Force issued last month discusses in detail our extensive efforts to help secure the Nation. 

The report begins in chapter 1 by focusing on the threat posed by malign foreign 
influence operations. We define such operations as covert actions by foreign governments that 
are intended to sow division in our society, undermine confidence in our democratic institutions, 
and otherwise affect political sentiment and public discourse to achieve strategic geopolitical 
objectives. While cyber operations that target election systems (such as voting machines and 
voter databases) and related infrastructure represent one aspect of the problem, foreign malign 
influence operations also are designed to affect the views of American voters, depress voter 
turnout, or undermine confidence in election results. Chapter 1 of the Task Force report 
categorizes these operations and outlines the Department’s framework to counter them ahead of 
the 2018 midterm elections. The chapter also describes the work of the FBI’s Foreign Influence 
Task Force, which integrates the FBI’s cyber, counterintelligence, counterterrorism, and criminal 
law enforcement resources to better counter malign foreign influence operations. Finally, chapter 
1 announces a new disclosure policy pursuant to which the Department will notify victims, social 
media providers, or the public, as appropriate, regarding efforts by foreign adversaries to target 
them in connection with a malign foreign influence operation. 
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As the Cyber-Digital Task Foree report observes, the Department of Justiee plays an 
important role in eombating foreign efforts to interfere in our elections, but the Department is 
only one part of an effective response. Combating foreign influence operations requires a whole- 
of-society approach involving coordinated actions by federal. State, and local government 
agencies, including State and local agencies that are responsible for election systems; cooperation 
from victims and the private sector, including social media companies; and the active 
engagement of an informed public. 

In chapters 2 and 3, the Task Force report discusses other significant cyber-enabled 
threats confronting our Nation, including attacks intended to damage computer systems; data 
theft; fraud schemes; crimes threatening personal privacy, such as sextortion and other forms of 
blackmail and harassment; and attacks on critical infrastructure. These chapters detail the 
important work that the Department of Justice is doing to keep America safe in the face of these 
complex and evolving threats. Chapter 4 focuses on a critical aspect of the Department’s mission 
in which the FBI plays a lead role, namely, responding to cyber incidents. Chapter 5 then turns 
inward, focusing on the Department’s efforts to recruit and train our own personnel on cyber 
matters. Finally, the report concludes in chapter 6 with observations about certain priority policy 
matters, including how the global nature of cyber-enabled crime brings with it technological and 
legal impediments to the Department’s ability to identify and locate malicious actors and bring 
them to justice, as well as other ideas discussed below. 

We hope that the report provides the Subcommittee and the public with a better 
understanding of the Department’s role in combating cyber threats; the tools we rely on to 
confront these threats; how we support other government efforts to address these threats; and the 
challenges we continue to face. 

Ill, New Ideas to Combat Cyber Threats 

In the face of these disturbing and ever-increasing threats, I know the Subcommittee has 
on its mind a key question: How can Congress help, today? The Department continues to 
explore how to respond to today’s threat of malign foreign influence and whether additional 
enforcement and disclosure tools would be useful and appropriate. In the meantime, as our Task 
Force concluded, there are several key changes to federal law that would greatly aid our work to 
combat threats online. 

I first want to thank this Subcommittee and, specifically, the Chair and Ranking Member, 
for their leadership in shepherding the passage of the Clarifying Lawful Overseas Use of Data 
(“CLOUD”) Act earlier this year. This important piece of legislation will greatly advance the 
Department’s work and will enhance both security and privacy around the world. We appreciate 
that Congress has made clear that U.S. law-enforcement orders issued under the Stored 
Communications Act require the disclosure of data wherever a provider chooses to store that 
data. The impact of this clarification was immediate and dramatic, making Americans safer and 
investigations more efficient. As you know, the CLOUD Act also creates incentives for bilateral 



agreements that enable investigators to seek data without eausing unneeessary conflicts of laws. 
These bilateral agreements will help create more efficient processes among rights-respecting 
countries for solving crime, and will ease the burden on our Nation’s mutual legal assistance 
procedures. 

The CLOUD ACT has helped address one of the key challenges facing law enforcement 
in the area of cybercrime, but many others still exist. I would like to spend most of my time 
today focusing on areas of concern in the Computer Fraud and Abuse Act (“CFAA”) and related 
statutes that currently hamper our work to combat threats online. The CFAA is the primary 
federal law against hacking. It protects the public against criminals who intrude into computers 
to steal information, install malicious software, and delete files. It was also intended to 
criminalize malicious conduct by insiders who abuse their right of access to computer systems 
and networks to commit online crime. The CFAA, in short, reflects our baseline expectation that 
people are entitled to have control over their own computers and are entitled to trust that the 
information they store in their computers remains safe. 

The CFAA was enacted in 1986, at a time when the problem of online crime was still in 
its infancy. Over the years. Congress has enacted a series of measured, modest changes to the 
CFAA to encompass new technologies and to equip law enforcement to respond to changing 
threats. The CFAA has not been amended since 2008, however, and the intervening years have 
again witnessed the need for the enactment of modest, incremental changes. The CFAA needs to 
be updated to make sure that it continues to appropriately deter violations of Americans’ privacy 
and security. 

A, Deterring insider threats 

The CFAA is a privacy statute. It deters criminals from stealing peoples’ information. 
Yet, the CFAA’s privacy protections now contain a significant gap. The statute was meant to 
apply both to hackers who gain access to victim computers without authorization from halfway 
around the world, and to so-called “insiders” who have some authorization to access a 
computer — like company employees entitled to access a sensitive database for specified work 
purposes — but who intentionally abuse that access. The part of the CFAA that covers the 
conduct of those who have some authorization to access a computer is the tool that Department 
prosecutors have used to charge, for example, police officers who misuse their access to 
confidential criminal records databases in order to look up sensitive information about a 
boyfriend or girlfriend, who sell access to private records to others, or who provide confidential 
law enforcement information to a charged drug trafficker. As a recent survey of 472 
cybersecurity professionals indicated, 90% percent of organizations feel vulnerable to insider 
attacks, and 53% have confirmed insider attacks against their organization in the previous 12 
months. The survey also found that the type of data most vulnerable to insider attacks is 
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confidential business information, and that a plurality of those surveyed estimated that the 
potential cost/loss of an insider attack was between $100,000 and $500,000.* 

Unfortunately, recent judicial decisions have limited the Government’s ability to 
prosecute such cases. As a result of these decisions, insiders cannot be charged under the 
CFAA — even where the insider has intentionally exceeded the bounds of his legitimate access 
to confidential information and has caused significant harm to his employer and to the people, 
often everyday Americans, whose data he has improperly accessed. 

The insider threat is relevant to voting security. Currently, for example, if a foreign 
hacker accessed a State’s voter registration database over the Internet, that could be charged 
under the CFAA as an access “without authorization.” But if an insider, such as a State 
government employee, used his privileges to access the same information, that insider could not 
be prosecuted under the CFAA, at least as several courts have interpreted the statute. 

The narrow judicial interpretation of the term “exceeds authorized access” in the CFAA 
stems from concerns that the statute potentially makes relatively trivial conduct a federal crime. 
One frequently cited hypothetical along these lines is the theoretical threat of prosecution faced 
by an employee who uses the Internet to check baseball scores at lunchtime in violation of his 
employer’s strict business-only Internet use policy. We understand the concerns of the courts, 
and 1 would like to reiterate that the Department of Justice has no interest in prosecuting 
harmless violations of use restrictions like these. 

However, by essentially barring all CFAA prosecutions of insiders, these court decisions 
have constrained our ability to bring certain cybereriminals to justice. Over the last several years, 
numerous Department of Justice officials have called on Congress to address this issue in a 
manner that would maintain the law’s key privacy-protecting function, while ensuring that trivial 
violations of things like a website’s terms of service do not constitute federal crimes. 

The Department supports efforts that would accomplish this task. This can be done by 
clarifying that the definition of “exceeds authorized access” includes the situation where the 
person accesses the computer for a purpose that he knows is not authorized by the computer 
owner. This clarification is necessary to permit the prosecution of, for example, a law 
enforcement officer who is permitted access to criminal records databases, but only for official 
business purposes. At the same time, a legislative fix could add new limitations to make clear 
that trivial conduct does not constitute a crime. For example, a limitation could be put into the 
CFAA making clear that in order to constitute a crime under the new insider provision, not only 
must an offender access a protected computer in excess of authorization and obtain information, 
but the information must be worth $5,000 or more, the access must be in furtherance of a 
separate felony offense, or the information must be stored on a government computer. 


*^Crowd Research Partners, “Insider Threat: 2018 Report,” available at: 
http://crowdresearchpartners.eom/wp-content/uploads/2017/07/Insider-Threat-Report-2018.pdf (last accessed 
August 7, 2018). 
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We strongly believe that the insider threat problem in the CFAA ean be fixed in a way 
that ensures the CFAA does not inadvertently eover trivial eonduet, while empowering the 
Department to proseeute and deter signifieant threats to privaey and seeurity. Of all of the 
reforms to the CFAA under eonsideration by this Subeommittee, addressing this problem would 
have the most immediate, signifieant impaet in improving our ability to punish and deter 
eybereriminals. We would like to work elosely with Congress and, speeifieally, this 
Subeommittee, to find a way forward on this pressing issue. 

B, Certain malicious activities as RICO predicates 

We support the efforts in the proposed International Cybererime Prevention Aet 
(“ICPA”), sponsored by the Chair and Ranking Member, to update the Raeketeering Infiueneed 
and Corrupt Organizations Aet (“RICO”) to make CFAA offenses and eertain Wiretap Aet 
offenses subjeet to RICO. As eomputer teehnology has evolved, it has beeome a key tool of 
organized erime. Criminal organizations operating around the world haek into publie and private 
eomputer systems, ineluding systems key to Ameriea’s national seeurity and defense. They 
hijaek eomputers to steal Amerieans’ identity and finaneial information; they extort Ameriean 
businesses with threats to disrupt eomputers; and they eommit a range of other online erimes. 

Aeeordingly, mueh of the fight against transnational organized erime has moved online, 
federal proseeutors have used RICO for over forty years to proseeute organized eriminals ranging 
from mob bosses to Hells Angels to members of MS-13. Just as RICO has proven to be an 
effeetive tool to proseeute the leaders of these organizations who may not have been direetly 
involved in eommitting the underlying erimes, it should be a tool to fight eriminal organizations 
that use eomputer intrusions and other CFAA violations to further their sehemes. These ehanges, 
as proposed in ICPA, would simply make elear that all types of CFAA violations should be 
eonsidered eriminal aetivities under the RICO statute, with the assoeiated heavy penalties. 

C. Protecting election computers from attack 

Protecting election infrastructure from attack is another important goal. Yet, as the 
Department’s recent Cyber-Digital Task Force report noted, “should hacking of a voting machine 
occur, the government would not, in many conceivable circumstances, be able to use the CFAA 
to prosecute the hackers.” The CFAA’s current definition of “protected computer” includes 
computers “affecting interstate or foreign commerce,” a definition that attempts to encompass the 
breadth of congressional power under the Commerce Clause. We are concerned that courts 
might conclude that the Commerce Clause power, alone, does not reach voting machine 
computers that are not used in a commercial setting, are not used in interstate communication, 
and are typically never connected to the Internet or to any other network. We believe, however, 
that Congress could reach such hacking by other means, such as its power to regulate federal 
elections in Article I, Section 4, of the Constitution. 
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Expanding the definition of a proteeted eomputer to inelude eleetronie voting maehines 
will strengthen eonfidenee in the integrity of our eleetoral system and ensure that any attempts to 
manipulate the results of an eleetion ean be proseeuted to the fullest extent under federal law. 

We therefore applaud the introduetion of S. 3311, whieh would aeeomplish this important goal. 

D, Botnets 

Another striking example of online erime that victimizes Americans is the threat from 
botnets — networks of victim computers surreptitiously infected with malicious software, or 
“malware.” Once a computer is infected with malware, it can be controlled remotely from 
another computer with a so-called “command and control” server. Using that control, criminals 
can steal usernames, passwords, and other personal and financial information from the computer 
user, or hold computers and computer systems for ransom. Criminals can also use armies of 
infected computers to commit other crimes, such as DDoS attacks, or to conceal their identities 
and locations while perpetrating crimes ranging from drug dealing to online child sexual 
exploitation. 

The scale and sophistication of the threat posed by botnets is increasing every day. 
Individual hackers and organized criminal groups are using state-of-the-art techniques to infect 
hundreds of thousands — sometimes millions — of computers and cause massive financial 
losses, all while becoming increasingly difficult to detect. If we want security to keep pace with 
criminals’ technological innovations, we need to ensure that we have a variety of effective tools 
to combat rapidly evolving cyber threats like these. 

One powerful tool that the Department has used to disrupt botnets and free victim 
computers from criminal malware is the civil injunction process. Current law gives federal 
courts the authority to issue injunctions to stop the ongoing commission of certain crimes by 
authorizing actions that prevent a continuing and substantial injury. This authority played a 
critical role in the Department’s successful disruption of the Coreflood botnet in 2011 and of the 
Gameover Zeus botnet in 2014. (The Gameover Zeus botnet, which infected computers 
worldwide, inflicted over $100 million in losses on American victims alone, many of them small- 
and medium-sized businesses.) Because the criminals behind these particular botnets used them 
to commit fraud against banks and bank customers, existing law allowed the Department to 
obtain court authority to disrupt the botnets by taking actions such as disabling communications 
between infected computers and the command and control servers. 

The problem is that current law permits courts to consider injunctions only for limited 
categories of crimes, including certain frauds and illegal wiretapping. Botnets, however, can be 
used for many different types of illegal activity. They can be used to steal sensitive corporate 
information, to harvest email account addresses, to hack other computers, or to execute denial of 
service attacks against websites or other computers. Yet — depending on the facts of any given 
case — these crimes may not constitute fraud or illegal wiretapping. In those cases, courts may 
lack the statutory authority to consider an application by prosecutors for an injunction to disrupt 
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the botnets in the same way that injunctions were successfully used to incapacitate the Coreflood 
and Gameover Zeus botnets. 

Thus, we support the provision in ICPA that would add activities like the operation of a 
botnet to the list of offenses eligible for injunctive relief. ICPA would allow the Department to 
seek an injunction to prevent ongoing hacking violations in cases where 100 or more victim 
computers have been hacked. This numerical threshold focuses the injunctive authority on 
enjoining the creation, maintenance, operation, or use of a botnet, as well as other widespread 
attacks on computers using malicious software (such as ransomware). 

The same legal safeguards that currently apply to obtaining civil injunctions, and that 
applied to the injunctions obtained by the Department in the Coreflood and Gameover Zeus 
cases, would also apply under the ICPA proposal. Before an injunction is issued, the 
Government must civilly sue the defendant and demonstrate to a court that it is likely to succeed 
on the merits of its lawsuit and that the public interest favors an injunction; the defendants and 
enjoined parties have the right to notice and to have a hearing before a permanent injunction is 
issued; and the defendants and enjoined parties may move to quash or modify any injunctions 
that the court issues. 

I would now like to turn to the criminal statutes that prohibit the creation and use of 
botnets. Unfortunately, these statutes also contain shortcomings. We find that criminals 
continue to find new ways to make money illegally through botnets. Law enforcement officers 
now frequently observe that creators and operators of botnets not only use botnets for their own 
illicit purposes, but also sell or even rent access to the infected computers to other criminals. 

Current criminal law prohibits the creation of a botnet because it prohibits hacking into 
computers without authorization. It also prohibits the use of botnets to commit other crimes. 

But it is not similarly clear that the law prohibits the sale or renting of a botnet. In one case, for 
example, undercover officers discovered that a criminal was offering to sell a botnet consisting of 
thousands of victim computers. The officers accordingly “bought” the botnet from the criminal 
and notified the victims that their computers were infected. The operation, however, did not 
result in a prosecutable U.S. offense because there was no evidence that the seller himself had 
created the botnet in question. While trafficking in botnets is sometimes chargeable under other 
subsections of the CFAA, this problem has resulted in, and will increasingly result in, the 
inability to prosecute individuals selling or renting access to thousands of hacked computers. 

We believe that it should be illegal to sell or rent surreptitious control over infected 
computers to another person, just like it is already clearly illegal to sell or transfer computer 
passwords. That is why we support the provision in ICPA to prohibit the sale or transfer not only 
of “password[s] and similar information” (the wording of the existing statute) but also of “means 
of access,” which would include the ability to access computers that were previously hacked and 
are now part of a botnet. In addition, we recommend replacing the current requirement that the 
Government prove that the offender had an “intent to defraud” with a requirement to prove that 
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the offender not only knew his conduet is “wrongful,” but also that he knew or should have 
known that the means of access would be used to hack or damage a computer. This last change 
is necessary because, as noted above, criminals do not use botnets only to commit fraud — they 
also use them to commit a variety of other crimes. 

Some commentators have raised the concern that this proposal would chill the activities 
of legitimate security researchers, academics, and system administrators. The Department takes 
this concern seriously. We have no interest in prosecuting such individuals, and our proposal 
would not prohibit legitimate activity. That is because the Government should have the burden 
to prove, beyond a reasonable doubt, that the individual intentionally undertook an act 
(trafficking in a means of access) that he or she knew to be wrongful. The Government should 
similarly have to prove that the individual knew or had reason to know that the means of access 
would be used to commit a crime by hacking someone else’s computer without authorization. 

ICPA’s approach makes clear that ordinary conduct by legitimate security researchers and 
others is not a crime. We believe that ICPA’s botnet injunction provision strikes the proper 
balance in prohibiting the pernicious conduct I have described without chilling the activities of 
those who are trying to improve cybersecurity for us all. 

E. Enhanced penalties for malicious activity directed at critical infrastructure 

The Department also supports the efforts in ICPA to strengthen the criminal code to 
better deter malicious activities directed at computers and networks that control our critical 
infrastructures. As I have discussed, America’s open and technologically complex society 
includes, as a part of its critical infrastructure, numerous vulnerable targets. While the CFAA’s 
maximum penalties apply to malicious efforts to harm the computers and networks that run our 
critical infrastructure, the statute does not currently require any enhanced penalties for such 
conduct. While it is reasonable to believe that judges would impose appropriate prison terms if 
malicious activity severely debilitates a critical infrastructure system, it is possible that courts 
may not impose adequate penalties for activities that cause less disruption — and they could 
conceivably impose no penalty at all in the case of an attempt that is thwarted before it is 
completed. 

In light of the grave risk posed by those who might compromise our critical 
infrastructure, the Department believes that the enhanced penalties for such malicious activity 
called for in ICPA not only will appropriately punish offenders, but also will more effectively 
deter others who would engage in misconduct that puts public safety and national security at risk. 
Criminals and other malicious actors should know that any attempt to damage a vital national 
resource will result in serious consequences. 
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F, Updated tools for investigators and prosecutors 

We have long had eoneems about the text of the “Pen Register and Trap and Traee” 
(“PRTT”) statute that is used, among other things, to support eomputer security. The PRTT 
statute’s exceptions — which, for example, permit a provider, but not a user, of wire or 
electronic communications services to monitor their own network — are subtly and inexplicably 
different than the Wiretap Act’s exceptions. The existing language in the PRTT statute has been 
difficult to apply, resulting in complex legal analyses for services as simple as Caller ID. The 
Wiretap Act’s rules appropriately protect the content of communications; they are more than 
adequate to protect non-content information, which is much less sensitive. Importing the 
Wiretap Act’s exceptions into the PRTT statute would remedy these problems and result in a 
more logical framework for applying these two related statutes that regulate the real-time 
collection of communications. There is no reason why a user of a PRTT device, whether a 
private or governmental entity, should be precluded from logging his or her own 
communications. We have proposed language under which the PRTT statute would continue to 
protect user privacy, but it would no longer inappropriately limit private entities’ or the 
Government’s ability to use PRTT devices on their own computer networks. 

Finally, we support several amendments to the CFAA, which are reflected in the ICPA. 
Key amongst these changes would be amendments to 18 U.S.C. § 2513, which would bring the 
forfeiture provisions of the CFAA in line with other federal criminal statutes, providing concrete 
procedures for the forfeiture of property used to commit or facilitate a violation of this statute as 
well as the proceeds of such violation. These amendments support consistent application of the 
law, while maintaining the Government’s ability to dismantle and disrupt criminal operations and 
deter future violations, both when prosecutors are able to reach violators and when those 
violators are located overseas beyond the judicial reach of our courts. The amendments in ICPA 
are a measured and sensible addition that will help assure that criminal hackers do not profit from 
their crimes. 

We also support the change in ICPA that would make the sale or advertising of a 
surreptitious interception device under 18 U.S.C. § 2512 a predicate offense under the federal 
money laundering statutes. Section 2512, which is part of the Wiretap Act, has proven to be a 
valuable tool for protecting the privacy of innocent Americans by criminalizing the manufacture, 
distribution, possession, and advertising of devices, such as spyware, that unlawfully collect 
private communications. Section 2512 is not a predicate offense under 18 U.S.C. §§ 1956 and 
1957, however, which impedes the Government’s ability to punish and deter certain offenders 
who conceal and spend their ill-gotten gains by selling and advertising spyware and other illegal 
interception devices. 
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IV. Conclusion 


I want to thank the Subcommittee again for providing me this opportunity to discuss these 
important issues on behalf of the Department of Justice. Americans should be able to turn to the 
Government for leadership, especially when facing cyberattacks from nation states and from 
equally sophisticated criminals. We look forward to continuing to work with Congress to 
improve the Government’s ability to respond to these cyber threats. I am happy to answer any 
questions you may have. 
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